When there is a limited visibility to a CSIRT team within a company, there is a restricted understanding of risk. This then has a major impact on trust, confidence, collaboration, and ultimately, budget and resource security.
Within the CSIRT environment, visibility and data are critical when it comes to gaining leadership buy-in and budget. What this means is that unless there is clear data that demonstrates the impact of various security initiatives on the organization, stakeholders will struggle to believe. And if leadership cannot see the value that security brings, they are unlikely to invest in its future.
Ultimately, the effectiveness of CSIRTs and buy-in from business areas rests on both technological and social capacities.
Weak communication and visibility accounts for much of the lack of trust between business leaders and members of the cybersecurity functions.
Focusing on parameters of information sharing enables managers to identify effective strategies for improving CSIRT processes and performance. Information sharing refers to the exchange of incident knowledge and threat data across the organization. How the information is shared, the types of information, who it's shared with, as well as the speed and accuracy of communication before, during and after events, all contribute to the quality of responses.
Focusing on information sharing parameters allows managers to identify effective strategies for improving CSIRT performance and processes.
Collaborative Problem Solving
To be effective in solving problems, CSIRTs must be able to engage in the process of situational awareness, collective information processing and forecasting.
The exchange of knowledge and cyber threat information sharing is important; it encourages more connection and collaboration between entities, helping organisations to prevent cyberattacks. Recommendations in order to increase visibility across the organization include;
- Make lasting relationships with business managers, IT architects and leaders, with full support of the Chief Information Officer (CIO) and Chief Security Officer (CSO)
- CSIRTs need a diverse collection of members with different perspectives and expertise to respond to ever-evolving incidents
- Use language that is understandable - avoid jargon
- Share data through reports or dashboards
- Ensure that the understanding is that cybersecurity is not the sole responsibility of the IT department
- Engage the full set of stakeholders to ensure appropriate support and decision-making
- Those in charge of the cybersecurity programme to hold frequent, scheduled meetings with stakeholders and to ensure that these continue over the long-term
- Join a focussed cyber intelligence community (ISACs)
- Integrate cybersecurity with business strategy to build trust and create value
- Understand how the business is changing in order to protect it
- Not everything is important, so define what needs protecting;
- Start with a general ‘everything is important’ from a log and then, over time, tune it to parts that require visibility
- Create hunts on what’s important
- Maintain Splunk/ Elk searches, check field extractions, make sure alert searches are tuned
Build a Robust Culture of Resilience
The CSIRT’s success depends on many factors, such as the technical resources at their disposal and team members’ level of knowledge and skills. In addition to these factors, a team’s success also depends strongly on the participation and cooperation of individual CSIRT members as well as other individuals, teams, and departments within and outside the organization.
Organizations can reap significant benefits when greater transparency is received across the organization about cybersecurity, allowing them to proceed to make informed decisions around security priorities and responses, training and ongoing investments, as well as promoting a culture of collaboration, resilience and trust.